Tag Archives: Online Business

GDPR Marketing – Consent vs Legitimate Interest

In my Quick GDPR Compliance Plan yesterday I suggested GDPR presents an opportunity for businesses to sharpen their approach towards marketing by being more strategic. So, what should you specifically do to be able to use the contact details in your database for marketing purposes?

Marketing under the GDPR (whether postal, phone, email, SMS or any other form of marketing) is regulated like any other data processing activity. So, you must show that you have a lawful basis under Art 6 to conduct direct marketing, and this lawful basis does not necessarily have to be consent-based. In fact, it generally won’t be.

This is because the GDPR acknowledges that direct marketing will often be a ‘legitimate interest’ of the data controller (legitimate interests being a non-consent based ground for data processing) and therefore consent to direct marketing is often not required under the GDPR.

What about the E Privacy Directive?

However, as well as GDPR we need to take account of the Privacy Electronic Communications Regulations (known as the E Privacy Directive or PECR).

PECR covers electronic communications such as phone, fax, email and SMS. It requires opt-in consent for email and SMS marketing unless an individual’s contact details were collected in the context of a sale or negotiations for a sale (prospects). The other exception is if you are marketing to corporate subscribers (here the problem is that it’s difficult to exclude partnerships and sole traders who do not constitute corporates).

For these cases it is possible to send marketing communications by providing an unsubscribe link. And phone direct marketing is also generally possible on the basis of opt-out provided the call list is first screened against the relevant country’s national do-not-call registry. Here is a useful guidance note provided by the ICO recently.

Two weeks to go

If you’re coming at this a couple of weeks before 25 May, you’ll likely want to know what you need to do to be able to continue communicating with your contacts. Specifically, what should you do to be able to use the email addresses you have in your database for marketing purposes.

Given the shortage of time available now, the question is to what extent you may use legitimate interest to continue to market to your contacts. That still entails sending an email to ask for an opt in but once you’ve done so you are unlikely to get many opt ins, so it comes down to analysing your database to understand who you may continue to market to.

Have you been doing any emailing?

So much depends on what you have been doing with the email addresses you’ve collected. How good are your systems in terms of recording permissions and background information.

For example, if you use Mailchimp and have been sending out emails, you will know who has been engaging with your emails and who has not even opened them. So, if you have records of that nature available to you it’s possible to separate your list of engaged contacts from your list of unengaged contacts. That will improve deliverability of your email to your engaged contacts.

That sort of data ultimately helps you to narrow down the number of names and email addresses you need to sift through manually when deciding which individuals you may legitimately market to even if they don’t opt in when you send your email requesting an opt in.

Improving the quality of your data

I’ve spent a good part of the last 2 years sorting out our CRM records to more accurately identify the different category of contact in our systems. We moved systems a few times over the last few years, including from Infusionsoft to Microsoft Dynamics 18 months ago. This resulted in some messing up of our data. So, if you’re starting off from a point where you haven’t had time to organise your database it would be very difficult to do anything else but seek consent from the entire list of contacts and then sift through your database to identify those names to remove and those to retain.

Therefore, whatever email or series of emails you may decide to send out to get opt ins, it will be necessary to review your records afterwards to pick out names of customers who have bought from you and prospects or others whose consent you will not need.

Any business card contacts whose names you added to your database with their knowledge and approval you would need to take a view whether to continue to send emails to them.

I imagine that you will want to set yourself up properly moving forwards so that you collect emails in the right way, with relevant permissions duly recorded. Certainly, for me GDPR brought marketing lists and email marketing to the fore in a way that PECR had not.

If you want to market effectively, and be in compliance with GDPR and PECR, you have to have some sort of strategy about what emails you will be sending people moving forwards. This becomes especially relevant for web forms.

Web forms

To avoid the need for opt in tick boxes on your web form, you could comply with GDPR and PECR by including your newsletter as part of the offer. For example, if I’m offering a useful ebook on IP, I might say something like “Complete the form to receive our 7 Mistakes ebook and our monthly newsletter. If people don’t want the newsletter they can opt out at the earliest opportunity, but at least you don’t need to add tick boxes and go to extensive trouble if the whole reason for offering the ebook was to get an interested subscriber to whom you could send marketing communications.

This works if you know you will want to add everyone to one master list. It may not be transparent enough where you also want to send a sequence of emails relating to that ebook. If you do, then you would need to make this clear, or ask for further permissions in the email delivering the ebook.

Double opt in

Although not required by GDPR I recommend use of double opt in for delivering ebooks.

GDPR has given added reason to use this delivery mechanism. For one thing you can ensure it is a proper email address that the subscriber has provided. Secondly, you have more of an opportunity to get an opt in to something else if you send your request in the email delivering the valuable ebook because the email will be sitting in the subscriber’s emails whereas an opt in box is only fleetingly seen and may not be ticked.

Certainly, you should do some deep thinking about your future plans and objectives. If all you’re wanting is to know that you can send your sequence of emails relevant to that download then as long as you make it clear in the invitation to sign up to that download that it includes your regular sequence of emails you will have all the consents you need. So this should be one reason not to just collect email addresses without first having a clear overall plan.

If you don’t make it clear in the web page offer that you’ll be sending newsletters or other emails, or if you want to share data with third parties then you must have an opt in box on your web form.

I can’t stress enough how important it is that you properly understand the reasons for collecting email addresses, and whether you need to add opt in boxes.

If you would like help to comply with GDPR either now or after 25 May to review your marketing or other set ups, then do get in touch. We’d love to help.

Quick GDPR Compliance Plan.

In Why GDPR? I explained what the General Data Protection Regulations are aiming to achieve because understanding its underlying principles and rationale is key to protecting data appropriately in the new regulatory environment.

The principle of fairness and transparency runs through every aspect of data handling. We need to reconsider our approach so as to only collect as much information as we need to perform the service we’re delivering; ensure data is kept appropriately secure; that it is held no longer than necessary for the purposes for which it was collected; and we must ensure the data is accurate.

One simple way to deal with data accuracy is to organise a way for your contacts to have sight of the basic contact and marketing details you hold on them so they may update the details directly themselves.

While the transition to the new regime involves a substantial effort for many small businesses who are time poor, it will ultimately help us all to run better businesses with appropriate safeguards in place to protect others’ data.

However, given we now have about 2 weeks to go till 25 May, what should you be doing to work towards GDPR compliance? In an ideal world we would have all used the last 2 years to prepare for GDPR, but few small businesses were aware of GDPR until recently, so here are some steps you might want to take if you’ve only just decided to take action.

Data Audit

The starting point is to identify what type of personal data you hold, where you hold it, and why. Who has access to it? This is a major exercise but if you’ve got limited time in which to do it, focus on the big picture. Most businesses will have customers who have bought from them, prospective clients who have made enquiries, and a mixed bag of other contacts such as business card and other contacts.

A second category of contacts whose personal details you hold will be past and present employees and freelancers, and also past job candidates.

There will also possibly be a number of suppliers of services – call answering providers, external agencies you might use for web development and so on.

Once you’ve taken stock and done your mini audit you should have a better understanding of the information you’re holding about your clients, prospects, business card contacts, employees, contractors, suppliers and so on. In the process you will begin to notice who has access to your subscribers’ data. Depending on the nature of your business, it may be useful to look at your password lists to remind you of apps you use.

Keep records of your audit in the form of spreadsheets and a journal. You’ll be ready to draft your privacy notice as soon as you’ve decided the legal bases on which you hold the different types of data. Your old privacy policy is unlikely to be suitable so make sure you get access to a new style privacy notice, such as to our GDPR templates.

Documenting

It’s a fundamental principle of any outcome focused regulation that we should be able to demonstrate the reasons for our decisions. So, having a system in place where you can document your reasons is key. If the Information Commissioner’s Office ever needs to look into your business they will ask to see the audit records, and will expect you to have a spreadsheet ready to explain your processing activities.

If you’re doing a rushed audit to get your privacy notice sorted quickly do plan in some time in the coming months to go back over the audit to update it. Compliance isn’t a one off event for anyone.

If you process sensitive data such as about people’s racial or ethnic origins, political opinions, religious or philosophical beliefs, data concerning health or a person’s sex life or sexual orientation do you need to obtain explicit consent? What will you do about past data and for the future? They involve different issues. Think it through, and document your situation, and if you need guidance, get proper legal help.

Data Protection Officer?

You will also need to make some incidental decisions such as whether your business is required to appoint a Data Protection Officer and to do a Data Protection Impact Assessment. As a general rule, if you’re a small business and you’re not doing any profiling or processing of data on a large scale it’s unlikely you’ll need either of these.

However, as businesses are so different in terms of their size and processing activities, and the rules are still changing, even now, I suggest you look on the ICO’s website to decide whether you need to appoint a Data Protection Officer or to do a Privacy Impact Assessment, and then document your decision.

As already mentioned, before you can draft your privacy notice, an important decision you need to make is the lawful grounds for each of the processing activities you have identified. For most businesses the choice will be between

consent;
performance of contract;
legal obligation to which the controller is subject;
legitimate interests.

If you decide that you have a legitimate interest to continue to email your list of contacts, document your reasons for this. Like that you will have an audit trail to remind you why you took the decisions you took months after the event when memories will have faded.

Once you’ve done all this you should decide what steps you will have to take to comply with GDPR and put in place a prioritisation plan. It’s highly unlikely that you will be able to do everything in one go, so you’ll need to decide how to focus your available resources.

Pocessor Agreements

Particularly noteworthy for GDPR compliance is the need to get processor contracts in place with non-employees or other third parties who process data that you’re responsible for as “controller”. The GDPR rules require you to have a written agreement with your third party processors (for example, payroll provider, freelancers, software providers, as well as apps you may be using). The terms that must be included in the agreement are prescribed. Make a list of all the individuals and sites you use, and plan from there.

There will be some processors who need to sign your processor agreements more urgently than others depending on the data to which they have access and where they’re located. Get a few contracts ready to send out for signature.

If your processors are based in countries outside the EEA then you have additional obligations, such as to find out whether the country they’re located in has an adequacy finding. Only a dozen or so countries are considered adequate and the USA isn’t one of them. So, for US entities like Mailchimp, you’ll need to find out if the organisation is certified under the Privacy Shield and add this information to your Privacy Notice. If you cannot find any other basis then introduce a contract using the Model Clauses provided by the EU.

While in theory you can introduce a contract and continue your current data transfer activities, the GDPR principles should prompt you to rethink your current practices.

Freelance Resources

For example, using a one man band freelancer in India who has access to your entire database of contacts might be a questionable decision. You may want to reconsider whether you can really justify continuing to give access to so much data to someone based in an inadequate jurisdiction. However, if you’re committed to using that resource for now then put in place the Model Clauses and make a note to revisit this decision in the near future.

Using these documents with a freelancer who is not worth suing is arguably not an appropriate safeguard long term. So, you should reconsider your resourcing policy to gradually change the nature of the responsibilities you outsource to jurisdictions outside the EEA.

Certainly if you’re choosing new freelancers this might be an ideal opportunity to use one within the EEA.

For some businesses this use of freelancers or cloud technologies may present the biggest risk. See my blog post 3 Steps Every Business Will Need To Take To Comply With GDPR

If you use an appropriate provider for your templates you should be able to get a decent privacy notice in place to send to your freelancers and employees, and another one to post on your website. Then send an email to your subscribers to notify them of your new privacy notice and if you get a chance, give them a way to update their marketing preferences.

As for cookies, we use this neat solution for cookies on our website. There are a few cookie issues which I need to consider more deeply for our site, and so this is something I will be revisiting, and I’ve made an appropriate note in our risk management policy about it.

In conclusion, while there is a lot to do to comply with GDPR, it is possible to begin working towards compliance even now at this late stage. If you’ve not yet addressed these GDPR issues in your business and want help, Azrights is there to support you.

In my final blog post GDPR Marketing – Consent vs Legitimate Interest I’ll be covering marketing and how to set your strategy for the future so you can build your marketing lists in a GDPR compliant way. It’s a real opportunity for your business to sharpen its approach to marketing.

Why GDPR?

In yesterday’s post What Not To Do When It Comes To GDPR I outlined the confusion that the GDPR laws have spawned. Understanding why the GDPR rules were introduced, and what they are aiming to achieve will help in complying with them.

GDPR is the first wholescale attempt to tackle the many privacy issues and risks that arise from the processing powers of modern technologies and the internet. Protecting people’s personal data is a fundamental human right and is enshrined in the law.

As business owners with access to other people’s information we have responsibilities to support those rights. The old data protection laws were introduced at a time when the world was a very different place. They pre-dated the internet. Google had only just been founded and it was another 7 years before the iPhone was released.

GDPR addresses a new world where social media, cloud technologies, and apps often require access to our location, images, emails and other personal information. All of this means that behind the scenes our “personal data” is being processed and is forming part of massive, and ever-growing datasets. This in turn has led to the development of other technologies with names like big data and artificial intelligence (AI), which have major implications for data protection law.

The new technologies provide such extensive abilities for businesses to profile us and use data about us in ways we may not even be able to imagine, that if things continued unchecked by legislation our privacy would be seriously endangered. It’s worth watching the Black Mirror TV films to realise how important privacy is. It shouldn’t be taken for granted.

Terms and Conditions

It’s true that nobody reads terms and conditions when they want to use a new app or useful tool. The upshot is that we tend to agree to all sorts of conditions without even being aware what we’ve signed up for. However, that’s not because we don’t care about our data. It’s because we assume there is no alternative. The reason we don’t read terms before we give consent to use of our information is that we often don’t have time, and want to avail ourselves of the services and tools on offer.

The GDPR regulations are designed to ultimately enable us to get access to products and services without giving away so much of our data. GDPR changes the existing scenario by ensuring we become better informed about the implications on the one hand, and are given real choices on the other.

For example, the regulations impose requirements on tech companies to educate us and to design their platforms with privacy considerations in mind. This means a “take it or leave it” stance to accessing our information in return for letting us use an app is unlikely be the prevailing attitude of future apps.

The legislation has teeth. There are eye watering fines for companies that ignore GDPR, which will have even the richest of them pay attention. All of us need to minimise the data we collect to what is really needed.

I’ve sometimes wondered whether some ecommerce sites really need to take my date of birth when all I’m doing is buying an item of clothing and paying by credit card or paypal. Why ask for my date of birth during the registration process? I used to abandon my shopping if a site asked for my date of birth, but then as more and more of them did so, I reluctantly gave them this information. But it didn’t mean I was happy to share this data.

GDPR discourages taking more information than necessary for the product or service to be delivered. By reducing the information we must give when signing up with a new provider we will be able to minimise the quantity of data that is collected about us. Data minimisation is an important GDPR principle.

GDPR Will Be Even More Important After 25 May

GDPR is no Y2000 or deadline driven momentum which will go away once we pass 25 May. Far from it.

It’s worth mentioning here that the UK is firmly committed to complying with GDPR long term so Brexit will not affect the applicability of GDPR to UK businesses. Even organisations outside the EEA are realising the implications GDPR has on them (because they process EU individuals’ personal data) so they’re busy making changes to their platforms to avoid being locked out of the EU market. They have little choice but to comply with the EU’s GDPR laws and nor have you.

Although there are powers to impose hefty fines and administrative penalties, the ICO has been at pains to let it be known that fines are not going to be their first line of attack. Instead they want to encourage and educate so that all businesses become aware of the new laws and implement necessary changes.

Work Towards Compliance Now

Still that doesn’t mean the ICO’s tolerant stance is condoning those business that are taking no action, and simply ignoring compliance with GDPR.

Coming to the attention of the regulator is never desirable, as it could take up time and resources you may not have, and end up costing you a lot more money as a result. Far easier to take stock now and deal with it, and get peace of mind that you’re on your way to complying with GDPR. What’s the point of delaying?

25 May will be just the beginning of a sea change in the way businesses manage and process data. GDPR is designed to make us all far more responsible and thoughtful about the data we hold. There will be a gradual cultural shift such as occurred with stop smoking campaigns, or seat belt wearing, or not drinking and driving. Our children and grandchildren will become savvy about their data, and will use the available controls to protect their data and minimise what they give access to.

GDPR Is Overwhelming

I’m not going to try to minimise it and tell you that complying with GDPR will be simple. The truth is that GDPR is all encompassing, impacting so many different areas of a business that it can be quite overwhelming for businesses. Business owners are already time poor and stretched thin. Taking on the onerous obligations of GDPR on top of managing a business is no mean feat. However, it is a legal requirement to comply. Also, it does present a chance to run a better business.

I’m confident that businesses that adopt the right approach and tackle GDPR by putting in place the right systems and procedures will improve their businesses in the process. They will also find it easier to work towards compliance on an ongoing basis ensuring that GDPR principles become second nature to them.

So, I would urge you to take the plunge and embrace GDPR, as you do so many other areas of your business. Begin to understand your obligations so you can put in place the steps to take responsibility for the data you’re handling.

Once you’ve set your strategy, including for matters like marketing, and drafted your GDPR compliant Privacy Notice you’ll need to send it to your clients and subscribers and add it to your website. Your data subjects have the right to know how you collect and process their personal data, for what purposes you use their data, the legal grounds of processing such data, and how you keep their data secure, as well as their rights in relation to such data. That’s what the new style Privacy Notice details.

In tomorrow’s blog Quick GDPR Compliance Plan we’ll look at tactical seps to complying with GDPR.

GDPR And What Not To Do

Every organisation is affected by Europe’s new General Data Protection Regulation or GDPR as it’s known. I’m sure you’ve heard plenty about it.

GDPR represents one of the biggest shake ups in the privacy and data protection laws since the internet. The recent Cambridge Analytica and Facebook incident involving misuse of hundreds of Facebook profiles has only added to the significance of GDPR.

GDPR is a complex piece of legislation which applies to every business whatever its size. If you have names, phone numbers, email addresses of customers, prospects, employees or suppliers, then GDPR affects you.

GDPR looks set to become one of the most substantial pieces of legislation that businesses of every size will have to tackle. Companies that had previously regarded non-compliance with data protection laws as low risk are beginning to re-evaluate their positions in the light of the substantial new fines, increased enforcement powers and grounds for judicial remedies that exist under the GDPR.

Chaos And Myths

So, there is chaos currently as myths have come about to the effect that after 25 May you cannot communicate any more with customers, or leads who came on board before 25 May. Some businesses sending out these emails have no clear idea why they are sending them. It’s sometimes a knee jerk reaction, and therefore ill thought through. They risk having to stop communicating with many of their existing lists, and past subscribers.

You don’t have to do that. However, there are certain processes you do need to put in place and decisions you need to make as a business owner to allow you to continue communicating with your subscribers.

GDPR isn’t the simplest of laws. There are numerous regulations that come under the GDPR umbrella. There are grey areas and until there is a body of case law, it’s not completely clear how certain aspect of the law will be interpreted. The key point is that you don’t have to send one of these emails telling your customers that you won’t be communicating with them anymore. There are strategies you can adopt to avoid being one of those businesses sending out these emails which are clogging up people’s inboxes.

Opt In Forms?

And if you capture data on a website by offering useful information, or letting site visitors request a call back or information, GDPR covers this too and there are a series of steps you need to take as a business to know how to carry on doing that. There are some myths that have built up around this too. You don’t necessarily need to add tick boxes. You can comply without one, and if you do add one you need to make sure you understand why you’re adding one. Otherwise, you could still end up non compliant despite paying web developers to add them. Depending on the form and what you want to achieve you may be able to avoid adding a tick box by changing the terms of your offers. I talk about that later in this series of 4 training blogs.

Compliance with GDPR involves a number of steps, including putting in place documents to be able to show your compliance should the Information Commissioner’s Office (ICO) need to investigate you for any reason. These are the key points to be aware of.

This mini training tells you what you need to know to work towards GDPR compliance. Whether you do this in time to meet the deadline of 25 May 2018, or come to it later after the deadline has passed, as many will, it’s important to realise that compliance with GDPR is not optional, just as operating PAYE, or other legal obligations are not optional. Nor is it something you do once and then forget about.

The Right Steps To Comply

Better to take some steps, albeit imperfect ones, than to take none at all towards compliance. But make sure they’re the right steps. Avoid taking quick decisions to send ill-considered emails asking for consent or to add tick boxes to your web forms. First make sure you have adequate information and legal guidance to properly assess the situation you face. Then decide what steps to take to address the different categories of data you currently hold. The aim is to preserve your ability to communicate with your people.

And nothing in the regulations require you to delete data in a hurry. If you conclude that you cannot market to a list of people you do not need to remove them from your system before 25 May.

Future Proofing

In terms of how to deal with collection of email addresses in future, make sure you are clear about what you want to achieve. Then properly understand what you need to do to be compliant. For example, what will you do when you go out networking and collect business cards? What changes will you make to existing forms on your website? It will vary depending on the form in question. What changes do you need to introduce? Then proceed to organise changes once you have an overall plan. Don’t do things in a piecemeal fashion.

I will say this. You may not need to engage your web developers to add opt in and opt out boxes on your forms. Before you proceed with development work take stock and set an appropriate strategy and document your decision. In the Marketing element of this training I’ve got some ideas for you on how you might address this but first it’s important to understand what these GDPR laws are aiming to achieve, as you’ll be better placed to implement your compliance plan.

The next blog in this series is Why GDPR?

Blogging Without Infringing

In my previous post, I looked at the issue of protecting your blog content and identity. This blog briefly looks at some of the issues concerning the inclusion of other people’s materials in your content.

As I mentioned in the last blog, as a blogger you need to look in both directions when it comes to intellectual property (“IP”). In particular, you should ensure that what appears on your blog – be it text, photos, or comments – does not infringe the IP rights of someone else.

Before you launch your blog, with your new blog identity, you should carry out trade mark searches to make sure your name, tagline and logo don’t infringe the registered trade marks of another person or company.

Public domain and copyright

Moreover, make sure the contents of your blog presence don’t infringe someone else’s copyright. Content is not necessarily in the public domain just because it is freely available to access on the Internet. Unless you have created the content yourself – for example, taken that photograph yourself – you cannot assume that it is not protected by copyright. In fact, you should usually assume the opposite.

Most content is protected by copyright and that copyright will only expire 70 years after the death of the author. While it’s true that there are exceptions which permit some use of protected material – fair dealing in the UK or fair use in the United States, these are limited in scope, as you will see below.

Use of stock images

These days, with search engines like Google, there are thousands of images online for bloggers to use in their blogs. However, make sure your use won’t infringe copyright by checking the terms of the sites you’re using. Do the licence terms cover your blog? For example, if you may only make non commercial use, and do have promotions or otherwise make your blog pay, then don’t download from a site that only allows non commercial use as doing so may well amount to unauthorised reproduction contrary to copyright law.

Fair dealing of copyright material

What happens if, as a blogger, I want to use material such as photo from a news event, or if I want to quote from an article, or book or even if I want to parody such material?

Well, assuming that the content you want to use is protected by copyright (which is likely), the general position, at least in the UK, is that the reproduction of a substantial part of a work amounts to copyright infringement. What constitutes a “substantial part” is a complex and large topic, and will differ in each case as everything depends on the particular facts. So, let’s not get bogged down here with the somewhat tricky issue of what amounts to a “substantial part”, and instead look at what the law permits by way of certain limited exceptions which constitute fair dealing in the UK.

Although there are a number of fair dealing exceptions, only a few are likely to be relevant to bloggers. These include (a) criticism and review, parody and quotation, (b) reporting of current events, and, (c) incidental use (which is not strictly fair dealing but convenient to mention here).

If you reproduce part of a copyright work – let’s say an online article – in order to criticise or review that work or another work, your use may qualify as fair dealing under the law in the UK. This same law also protects you when you feature a quotation of a work. However, it’s important to note that you may not freely reproduce a work if you want your use to be “fair”. So, reproducing an entire article on your blog is unlikely to be fair dealing. And the exception applies only to published works. Moreover, you must normally also include a sufficient acknowledgement of the original work.

The law in the UK also provides for fair dealing of third-party copyrighted material for the purpose of reporting of current events. However, photographs are excluded from this exception and so you cannot download and reproduce a photograph for the purpose of news reporting on your blog. While it might seem obvious, the events must be “current” and you must normally include a sufficient acknowledgement.

A blogger may also make incidental use of another’s copyright work without infringing copyright in that work. However, the law in the UK expressly excludes the deliberate inclusion of another’s music or lyrics. For example, you cannot add a song in the background of a video clip and claim that your use was incidental use if the song owner objects: it is not incidental use in this example because the music was included deliberately.

Creative commons licences

The last decade has seen the rise of open access forms of disseminating works known as Creative Commons (or (“CC”) licences. These provide for standard-form licences allowing members of the public to reuse a work in particular ways. Creative commons have sought to develop a suite of licences for many types of works.

The CC licences offers copyright owners a suite or menu of terms for using content. Some of these only allow reuse in an unmodified form. Some only allow reuse with attribution. Others only allow reuse for non-commercial purposes.

While CC licences have become extremely popular in recent years, the most common kind is the “attribution, non-commercial, non-derivative works” licence which only allows the user to reproduce, distribute, or play the work in a non-modified form, only for non-commercial purposes and with attribution of authorship. As a consequence, CC licences are generally better suited to users who do not seek remuneration from copyright.

Using other’s logos or trade marks

A question that often arises is to what extent people may include the brand logos or trade marks of others in blog content. In terms of logos – say, logos of famous companies such as Virgin, Barclays, or Coca Cola – the best advice is: “don’t” because most of brand logos are usually protected by both trade mark registration, and copyright. This means that any reproduction by you on your blog of another’s brand logo is potentially copyright infringement.

In contrast, the mere reference in your blog to a word trade mark – such as “BARCLAYS BANK” or “GAP” – is unlikely to amount to trade mark infringement. This is because, generally speaking, names do not enjoy copyright protection. Also, trade mark infringement is based on consumer confusion and so a mere reference to BARCLAYS BANK in your blog is not necessarily going to confuse your readers. That said, if your use is such that the relevant consumer might be led to believe that your blog is somehow connected to or supported by Barclays Bank, your use could potentially amount to trade mark infringement. So, when in doubt stick to merely referring to their brand names and avoid using other’s trade marks in such a way as to cause consumer confusion.

So, now that you have some basic insights into the IP laws, happy blogging!

Blogs and Intellectual Property Rights – Don’t Just Blog It, Protect It

These days, any of us can be a blogger. All you need is somewhere to post your content, and an interesting angle on life – be it sports, politics, travel, food, music, you name it – you can blog your perspective on it. What’s more, you can attract a worldwide audience of thousands or even millions.

However, as well as a web presence and a flair for writing, you should also develop an awareness of intellectual property (“IP” for short) and its impact on your blogging activities.

IP is essentially about protecting our intellectual creations, and that includes of course our blog entries. But whatever A has protected, B may infringe. So, when we consider blogging and IP, you need to look in both directions: how can you, as a blogger, protect your IP and also, how can you ensure that your blog does not infringe the IP of others? Here today we look at “A” – what you have protected. In next week’s blog, we look at “B” – avoiding infringing what someone else has created or protected.

While IP embraces a bundle of different rights, in this blog we are going to briefly look at the two most important rights for bloggers: trade marks and copyright.

It really is amazing that some bloggers enjoy a huge reputation online and yet they have never protected their blog identity by means of trade mark registration. For example, it seems that Turner Barr – about whom I say a little below – of “Around the World in 80 Jobs” fame, did not file a trade mark application until after he had settled what is probably one of the most high-profile IP blog disputes to date. It’s an unfortunate fact of life that many people take IP for granted until some issue crops up, and then they really value their IP and wish they had better protected it at the outset.

Blogs Are Global – Trade Marks Are National

Blogs, being online, are global in nature. They don’t respect national borders which can make trade mark protection, which is generally national in nature, potentially complex. However, it’s advisable to file to register your blog name and blog identity as trade marks at least in your home country. In trade mark law there is something known as the “priority filing system” which enables you to apply to register your trade mark elsewhere in the world within 6 months of your initial home filing and maintain the original filing date.

Let’s turn to copyright. Copyright arises automatically as soon as your writings, photos, music or other creations are fixed in a recorded form. For example, as soon as you save your blog entry on your computer, it is protected by copyright as a literary work. Similarly, as soon as you take a photograph on your mobile phone, it too can be protected as an artistic work.

As for your blog content – such as your blog entries, photographs, music etc– it’s advisable to always keep a dated record (for example, in your computer files) in case you should ever need to prove that you created the work, and on what date you did so.

It’s a good idea too to use the copyright symbol – © – alongside your creations, such as your photographs. Use of the © symbol is generally not obligatory but it gives notice to the world that the material is protected by copyright and Courts will often proceed on the assumption that it is protected by copyright.

Although Internet Service Providers (ISPs) are not liable if another person takes your blog material and posts it elsewhere online, you still have options. For example, if the infringer refuses to take-down the lifted material, you may be able to achieve that result by filing a take-down notice with the website provider. Social media companies such as Facebook have well-established take-down procedures by which they will remove infringing content on proof that it infringes your IP rights, including your trade marks and copyright.

Turner Barr

So what about Turner Barr mentioned earlier? Turner created a highly-successful blog called “Around the World in 80 Jobs” which recounted his experiences as a young millenial in obtaining sometimes strange and wonderful jobs around the globe but which also provided information and advice to young people about gaining employment. In 2013, Swiss employment company Adecco produced their own version of his blog, and they filed trade mark applications in various countries for “Around the World in 80 Jobs”. Happily, all’s well that end’s well. After a sustained campaign on social media, Adecco agreed to drop its version of “Around the World in 80 Jobs”, and withdrew its trade mark filings.

If this pressure from social media hadn’t happened, then it would not have been at all straight-forward for Turner. The right approach is to always file to protect your blog presence as a trade mark before disputes arise such as Turner’s with Adecco.

So, in conclusion, if you blog you have IP. Make sure both to protect your blog IP, and avoid infringing the IP of others. In the next video, we will have a look at some of the issues surrounding use of the material of other people in your blog and how to avoid common mistakes.

3 Steps Every Business Needs To Take To Comply With GDPR – Apart From Email Marketing

GDPR is all about introducing greater transparency, increased accountability and enhanced privacy rights for all of us. For example, we can manage our permissions to tech platforms as a result of being notified about the data they hold and collect on us. These new rights are necessary in a world where the likes of Google collect the most mind boggling information.

The fact that GDPR requires tech companies to design their platforms with privacy built in, means a “take it or leave it” stance will no longer be the prevailing approach. The legislation has teeth. For example, there are eye watering fines for companies that ignore the regulations, which will have even the richest of them pay attention.

So, I think GDPR will introduce a sea change into the handling of data as is apparent from the changes introduced by Facebook following the recent Cambridge Analytica revelations.

Complying with GDPR

GDPR is all encompassing, impacting so many different areas of a business. So, it can be overwhelming.

A good place to start if you’re a small business wanting to understand your obligations under GDPR is the ICO’s site. There are plenty of resources provided to help you to comply, although I suspect the majority of small businesses will ultimately need help because it’s one thing to know about GDPR, but it’s quite another to know what to focus on when attempting to comply with the new laws given that there is so much to do.

There are certain actions that every business should be taking immediately to reduce GDPR risks. And that’s not the much publicised question whether or not to ask for consent to market to your lists which I previously wrote about on this blog GDPR – Why Consent Should Be Used As A Last Resort. Sadly too many advisers out there are still telling businesses that obtaining specific consent for everything is the way to go, which will place huge administrative burdens on those businesses that follow such blanket advice.

3 Steps

There are 3 steps every business should be taking in the light of the GDPR changes, that many businesses may be missing given the spotlight on email marketing. That is, to consider the data they hold in the cloud and take simple basic measures, such as:

Use strong passwords. If employees, virtual assistants, or contractors (such as your website development company) have access to your data, then are they using strong passwords so as to keep your data safe? They could easily compromise your security by their actions.
You should introduce clauses and contracts with your freelancers, and contractors. Explain the impact of GDPR. Are they using laptops with encryption? Do they know not to log into your sites in internet cafés? Are they always logging off when they leave their computers unattended? These basics are essential. You are responsible for educating your workers, contractors and other team members about GDPR and the actions they need to take so they don’t compromise security of your data or otherwise cause you to be in breach.
You want to let contractors such as your digital marketing agency, virtual assistance service, or web developers know that using outsourced staff and giving others access to your site without your knowledge is not permitted without your specific consent. These entities are processors of your data. They should not be appointing sub processors without your knowledge. You need to know if your agency is giving access to your data to a third party. Otherwise, what is the point of your doing due diligence checks when taking on an agency, only for them to engage a temporary helper (possibly using a less rigorous vetting exercise than you employ) to assist them when providing their services to you?

If you’ve not yet addressed these GDPR issues in your business then don’t delay as they are, in my view, one of the greatest security risks small businesses face.

If, on the other hand, you are an agency using outsourced team members to deliver services such as website design, form building, online questionnaire development, search engine optimisation, Facebook or Google advertising, and the like, then your business model may need some adjusting. You should be thinking about what your clients will need from you, and pre-empting their concerns.

Conclusion

With just over a month to go, and many contracts and steps to take immediately, you can’t afford to leave it any longer. While it’s unlikely you will face fines for failing to address every aspect of GDPR, doing nothing is not a sensible option. Come 25 May, your website will be a tell tale sign if you’ve not taken any steps to comply with GDPR.

We have various service options to help clients, ranging from access to templates and clauses, to providing some consultancy, or taking care of the entire process for you. Get in touch if you have would like a quote or have any questions.

How Agencies Can Protect Their Clients When Branding And New Identity Creation

While every agency understands how to use the creative process to create a brand name, few understand the legal implications of choosing one name over another.

Turning an idea into a business involves creating intangible elements like names. As these are governed by the law of intellectual property it means you are creating intellectual property.

Specifically, trade mark law protects names, and so one implication is that you need to choose a name that meets the requirements of the law.

To fully understand the impact of getting this right on both the agency and client side, it is worth reflecting on what value a brand brings to a business.

Value of a brand

A brand name is of the most valuable assets a business will have.

According to Forbes, the most valuable brand name in the world in 2017 was APPLE. It was worth $170 billion. GOOGLE takes second place, at $101 billion and MICROSOFT in third place, at $87 billion. Three words – APPLE, GOOGLE, MICROSOFT together are worth about $360 billion.

Just think about that for a moment. The world’s top three brands are worth many times the average country’s entire GDP (or annual economic output). That’s the value of a good brand name.

Based on the value of the world’s biggest brands, a good brand name needs to be:easy to pronounce and spell

• one that works internationally

• one that copes with business expansion or change of direction.

• one that is legally available

The final point is most important here.

The trade mark registers are cluttered, and the best .com domains are often already taken. Therefore, choosing a name invariably involves doing some due diligence.

An agency tasked with creating a name should really put forward a shortlist of 3-6 names for full legal clearance if the client is to stand a chance of finding one name that it may use.

Getting this wrong may not just mean the trade mark application is thrown out. The client may find itself on the wrong end of an enforcement action by another business whose trade mark is being infringed.

A name that infringes on someone else’s mark leaves the client with little choice but to rebrand. Some clients might sue an agency that created the identity for them, or require a free rebrand. Quite apart from the reputational damage for the agency, a name that the client can’t use would prove as problematic for the agency as it would for the client.

Not only is it worth getting this right to protect your agency, it also offers you an opportunity to deliver certainty and differentiation from other agencies who are less aware of the consequences.

An agency’s responsibility when creating a brand identity

When a client engages the services of a branding agency to create an identity, that agency is an adviser, and as such, is expected to understand the surrounding law.

While the agency might tell a client that certain actions that are required to clear a name for use should be undertaken by lawyers, it’s not possible to completely absolve itself of responsibility simply because some of the work involved in clearing a name is done by lawyers.

There are two levels of checks for brand names that should be undertaken:

1) Basic preliminary checks – often these do not require a lawyer and can be done through simple searches

2) Full clearance searching – in most cases done by lawyers

I’m of the view that while lawyers are always best placed to undertake full clearance and this is clearly the responsibility of the client, basic preliminary checks can and should be performed by the agency as part of the process of developing names.

This seems not to be the prevailing view.

One designer recently said to me that she does not believe she is responsible if a client of hers has problems with a name she selected for the client and the client decided not to register the name as a trade mark. According to this designer, if the client chooses not to trade mark the name then it’s the client’s fault if it later transpires there are problems with the name.

Quite apart from the fact that registering a name as a trade mark in no way helps if the name is not available to use, I have deep problems with this view. Protecting a name isn’t just about registering it as a trade mark. It’s more about checking that the name may be safely claimed.

If an agency is entrusted with creating a new brand identity, it’s reasonable for the client to expect that you will offer up names they have a fighting chance of using. This means doing some of the trade mark searches yourself, albeit leaving the full clearance searching to the lawyers.

While specialist full clearance searches might be left to the client to arrange with its own lawyers, any business choosing a new name for its clients does have a responsibility to ensure the name is legally available.

Understanding the legal requirements is essential if the selected name is to stand up to legal scrutiny. There are a number of searches that agencies should and could perform on a name – beyond a simple Google or .com search, which is often all that is done. If you fail to provide names which don’t even stand up to the most basic legal scrutiny, what is the client paying for when it pays to have a name created?

And, importantly, how does that reflect on your agency if a problem later arises?

The client’s responsibility when protecting their brand identity

Many clients don’t ask lawyers to do full clearance searches before applying for trade mark protection simply because they don’t realise this is an essential step in the process, rather than an optional step.

As clients frequently choose to not do further searches on names, (possibly because they have spent all their available budget on the brand identity work), it’s even more important for branding agencies to do “good enough” checks of names before proposing them to clients. Otherwise, what’s the point of branding a name the client can’t own? It would be building their business on a foundation of sand.

On one occasion when we were provided with a shortlist of six names by a designer, we found that the most basic search of the trade mark registers knocked out four of the names immediately. So, effectively, the client only had two names to choose from, and they were not the first choices on the list.

I hate to think what might have happened if the client hadn’t asked us to do clearance searches on the names. It might have gone with one of the names that were infringing with all the associated problems and risks.

This is why I would urge agencies to learn how to do some basic checks of the trade mark registers whenever they are creating a new identity for their clients. Indeed, a good agency should also perform its own checks on a name the client proposes using, even if the agency didn’t choose the name.

Again, it’s important to remember you’re not protected simply by virtue of registering a trade mark.

Taking steps to protect intellectual property

The identity of any well-known brand comprises a variety of elements. Trade mark law encompasses the name, and also any taglines, slogans, logos, designs, product shapes, sounds, smells, colours, and other features that distinguish a product or service from its competitors.

Bear in mind that whenever you turn an idea into a product or service you’re also creating intellectual property assets. Copyright law is highly relevant in brand creation. Therefore, copyright and other intellectual property issues need to be top of mind in the early stages of identity creation.

However, the primary identity of any successful brand is inevitably in its name. Protecting the future value of a business involves protecting the name, and also taking account of IP as a whole.

An agency should create internal processes to ensure names are properly checked out before any short list of names is offered to the client.

There are three steps that any business should take to protect its intellectual property if it is to build value, and avoid disasters such as the need to change its identity.

Imagine having to rebrand due to problems with a name or copyright work. While this might seem unimaginable for the likes of the world’s top brands, problems around names and IP can affect even them.

For example, Microsoft had to rebrand after being ordered to do so by a UK court for infringing on a trade mark owned by British Sky Broadcasting Group (BSkyB).

”Changing the name of a product as loved as SkyDrive wasn’t easy,” Microsoft’s Ryan Gavin reportedly told a journalist.

The value and safety of your own and your client’s intellectual property is more important than ever before. Do it right and the intangible assets you create could be worth far more than the cost of producing them. Do it wrong and you could miss vital opportunities, have your true value stolen or find yourself on the wrong side of an intellectual property dispute.

To find out how to protect your own agency’s intellectual property and that of your clients register your interest to learn about IP Fundamentals including the Azrights Naming course.

Register Your Interest Here

GDPR – Why Consent Should Be Used As A Last Resort

If your inbox is anything like mine, it will be full of emails about GDPR – news updates, invitations to training events, webinars and more. That’s not surprising given that GDPR represents one of the biggest shake-ups in the privacy and data protection laws since the internet.

Europe’s new data protection law, the General Data Protection Regulation is a complex piece of legislation. The text of the GDPR has changed many times so that some of the provisions that were originally proposed were dropped or changed substantially. If you’re wondering what actions you need to take to comply with the new laws by the end of May, which is when they come into effect, it’s important that you base your actions on well informed, current information.

However, if you’re a small business you probably don’t have the resources and the time to understand and deal with every minutiae in the regulations.

You may want to focus on some top-level risks. Working towards GDPR compliance, by focusing on the big picture, and addressing the most serious risks now, while committing to making other changes gradually. In my view this is a good approach. I’m not advocating that anyone should bury their head in the sand and ignore the new regulations. Just to bear in mind that complying with GDPR when you have a budget of a quarter of a million pounds to spend, (as many big businesses do have), looks very different when your budget and available time is tiny in comparison.

What GDPR Impacts

GDPR impacts the way you collect identity information, how long you store it, what processes you need to introduce to control its use, what you may do with the data, and what security arrangements you need to implement to protect that data against risks such as loss or disclosure following a cybersecurity attack, and more.

A good starting point is to make a list of the data you collect and think about how you use it, how long you store it, where you store it, and who has access to it. The purpose of this exercise is to document what you’re currently doing so you can decide what you need to do in order to better comply with GDPR. What controls and processes will you be able to put in place immediately, and what might you introduce in the future?

Consent Is Not Always Necessary

A common area of confusion is whether you must obtain consent to process people’s data. While in some cases consent may be the right way to go, it is not always the right basis on which to found your decisions.

For example, processing data for many marketing activities may be better based on “legitimate interest” (that is, you have a lawful business interest in processing the data). The term “legitimate interest” is not clearly defined but is likely to be interpreted widely. Legitimate interest or other lawful “bases” under the GDPR, apart from consent can sometimes be a much better basis to rely on than consent.

In our view consent should be used as a last resort, not a first resort. Only rely on obtaining explicit consent from data subjects where none of the other bases are engaged.

Incorporate Prominent Unsubscribe Links

Some simple steps like incorporating a prominent unsubscribe link on all your marketing emails and not emailing people from no reply emails would go a long way to avoiding annoying recipients of your emails.

For example, one email sender I’ve been trying to unsubscribe from for months is Law.com. They are sending us daily emails from a no reply mailbox. They provide no unsubscribe link. Instead you are expected to login to their site to manage your email alerts. Why should one have to do this just to unsubscribe? I have tried blocking their emails but somehow their daily emails continue to arrive into our inbox instead of being diverted to the junk folder. (I’d love to know why this is happening)

They’re by no means the only ones. IELPE is another organisation that emails us whose emails I just can’t seem to divert to the junk box. They too send their emails from a no reply email address, and don’t have an unsubscribe link.

In many cases, even where an unsubscribe link is provided in emails, I would be worried about clicking on the link unless I know the company. After all, it’s basic security management to not click on links. So this is why it would be good practice to not only provide an unsubscribe link, but to also not send marketing emails from a no reply email address.

I mention these as examples of what not to do. In my view it’s important to avoid attracting unwanted attention, and potential fines.

Conclusion

So, there are practical steps that you could and should prioritise because they’re easy to implement, and matter a lot.

I appreciate that unless you’re familiar with the regulations it can be difficult to know how to see the wood for the trees. That is why we are introducing a low cost GDPR service designed to support small business clients to implement a GDPR solution appropriate to their needs.

If you want help to tackle GDPR in a pragmatic way, so you can know how to deal with marketing emails, and whether you need to seek consent from everyone, then our solution will be relevant to you. Just register your interest to receive more details as they become available.

Register Your Interest Here

How To Legally Protect Your Domain Name

The first thing you need to do when you have an idea for a new product, service, or business is to find a name for it.

It’s well worth consulting an expert in trademarks to help you choose a name, and to establish whether your proposed name is legally available to use, and most importantly, whether it is distinctive enough to function as a trademark.

Descriptive names are not capable of trademark protection. Think of Tesco’s Clubcard for example. Tesco has been unsuccessful in its bid to register Clubcard as a trademark for its loyalty card scheme because the registry considered Clubcard too descriptive. That means any business is free to use the name Clubcard for its loyalty card program. 　

If a name isn’t descriptive, then the next thing is to do some full clearance searches to make sure the name is legally available. At the least do these checks to cover your home market in the UK.

If the name is legally available it means you can protect it and have exclusive rights over it. However, registration alone is not enough because trade mark registrations can be cancelled if someone with better rights over the name objects to your registration.

Once it’s clear the name is legally available, it means you can have a unique online brand. If others are “passing off” your brand by registering your name as a domain, you are in a strong position to recover it from them.

What if you haven’t taken advice. What if you find you can’t use the name you’ve been using for the past 10 years for your company’s successful service, or brilliant product? Your business could suffer a substantial drop in revenues overnight.

When a business is unlucky enough to be required to rebrand the costs can be significant. You could potentially suffer a substantial drop in revenues, as it is not always feasible to redirect the old domain name to your new domain. That makes it more difficult for your former customers or potential new ones to find you when searching online. .

Trademarks reduce the risk of consumers being confused about the source or origin of goods or services they buy. So, be sure to get good advice before you start using a new name. Here at Azrights we have substantial experience in all things trademark related, so do contact us if you have a trademark issue you would like help with.